Days after a global investigation titled the Pegasus Project exposed how an intrusive software, called Pegasus, was used to target journalists, rights defenders, activists, and political leaders across the world, one country that utilized this technology has remained quiet. Authorities in Azerbaijan have so far refrained from making any statements about its surveillance policies or ties to the Israeli surveillance company that sells Pegasus software, NSO Group. According to leaked data, around 1,000 phone numbers belonging to users in Azerbaijan were identified — among them, prominent journalists, editors, rights defenders, lawyers, and political activists, as well as their friends and family members.
A successful Pegasus infection gives NSO customers access to all data stored on the device. An attack on a journalist could expose a reporter’s confidential sources as well as allowing NSO’s government client to read their chat messages, harvest their address book, listen to their calls, track their precise movements and even record their conversations by activating the device’s microphone.
Pegasus infections can be achieved through so-called “zero-click” attacks, which do not require any interaction from the phone’s owner in order to succeed.
For months Paris-based journalism non-profit Forbidden Stories, Amnesty International Security Lab, and more than 80 journalists from 17 media outlets collaborated to establish the identities of those targeted by the intrusive NSO software after leaked data revealed that some 50,000 phone numbers across 50 countries were potentially targeted. So far, the groups have established where Pegasus was put to use: Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, and the United Arab Emirates; and have identified 14 world leaders plus 180 journalists, editors, and freelancers who were targeted.
Not all of the 50,000 numbers were subject to an attempted or successful hack. And in the absence of a forensic examination, it is impossible to tell whether a device was hacked. Amnesty International Security Lab was able to carry out forensic examinations on 67 phones so far, out of which 37 showed signs of Pegasus.
This interactive presentation lets you explore the dozens journalists, activists, and others who were selected for targeting sophisticated Israeli spyware.https://t.co/IbMYYoDsBI
— Organized Crime and Corruption Reporting Project (@OCCRP) July 22, 2021
The NSO Group
NSO Group insists that it sells its software only to governments, suggesting that the clients in these countries represent intelligence services, law enforcement agencies, or other official bodies.
NSO Group was set up in Israel in 2010 by Niv Carmi, Shalev Hulio, and Omri Lavie. On its website, the company claims to develop technology “to prevent and investigate terror and crime” but the surveillance technology appears to have been used against dissidents, journalists, and activists across the world. Citizen Lab investigations reveal that NSO's Pegasus was used against dissidents at least since 2016 in numerous countries.
In 2019, the company came under fire when accusations emerged that it was infecting users’ devices with malware by hacking WhatsApp. In response, WhatsApp and its parent company Facebook sued the NSO Group. In July 2020, a U.S. federal court judge ruled that the lawsuit against NSO Group can proceed despite the company's defense that “its business dealings with foreign governments, granted it immunity from lawsuits filed in U.S. courts under the Foreign Sovereign Immunity Act (FSIA).” In December 2020, Microsoft, Google, Internet Association, GitHub, and LinkedIn joined as parties in Facebook's ongoing legal battle against NSO. The most recent hearing took place in April 2021 and according to Politico the NSO Group appeared “unlikely to prevail.” Josh Gerstein, Politico's Senior Legal Affairs Reporter noted:
Even if the firm’s effort to head off the suit fails, it could continue to fight the case in the trial court, but will likely be forced to turn over documents about its development of Pegasus and make executives available for depositions.
In April of this year, nine international human rights and press freedom organizations penned a letter to Chaim Gelfand, Vice-President for Compliance at NSO Group, asking the company “to deliver on its commitments to improve transparency about sales of its advanced spyware, and due diligence to protect human rights.” The letter also rejected the NSO Group's claims “of their unverified compliance with human rights standards.”
The spectacle might be a mildly entertaining farce were it not for the very real and gruesome way in which its spyware is abused by the world’s worst autocrats. NSO’s irresponsible actions have proven their words are nothing more than hand-waving distractions from the harsh reality of the unregulated marketplace in which they, and their owners, thrive and profit.
Two years ago, the then-UN special rapporteur on freedom of expression, David Kaye, called for a moratorium on the sale of NSO-style spyware to governments until viable export controls could be put in place. Despite his warnings, the sale of surveillance software continued without any transparency or accountability.
The most recent investigation not only brings the company to the spotlight but also highlights the importance of control mechanisms imposed on spyware companies.
According to the Organized Crime and Corruption Reporting Project (OCCRP), which was among the 17 media partners involved in the global Pegasus investigation, out of the 1,000 phone numbers from Azerbaijan, the project researchers were so far able to identify 245 phone numbers that were targeted, a fifth of which belonged to reporters, editors, or media company owners. The list also includes activists and their family members.
Meydan TV, a Berlin-based online news platform, spoke with some of the targeted community members. “Anyone who is engaged in civil society work in Azerbaijan is aware they are under surveillance. But this program is a spyware. And its capabilities such as turning on microphone and camera, while in an intimate setting with friends or family members, without the owner's awareness, is a direct violation of privacy,” said Bakhtiyar Hajiyev, a political activist.
Among the dissident family members targeted by the spyware is Shura Amiraslanova, the mother of former political prisoner Giyas Ibrahimov, known as one of the “graffiti prisoners” who was jailed after spraying graffiti on the statue of the former Azerbaijan President Heydar Aliyev and later sentenced to ten years in jail on questionable drug possession charges. “I guess they thought that if I fully stand behind my son, I should be watched too. But why? What can I do?” said Amiraslanova in an interview with Meydan TV.
Speaking to Azerbaijan Service for Radio Free Europe, Elshad Hajiyev, the spokesperson for the Ministry of Interior Affairs, dismissed the investigation as “baseless” assuring that “the ministry is willing to investigate any allegations upon request.”
In the meantime, the NSO Group denies all of the accusations, “the report by Forbidden Stories is full of wrong assumptions and uncorroborated theories that raise serious doubts about the reliability and interests of the sources,” read a company statement published on its website. In another statement issued on July 21, 2021, the group said, “enough was enough,” and that it will no longer respond to media queries, participating in “the vicious and slanderous campaign.”